Last year the Office of Civil Rights (OCR) entered into 12 settlements with covered entities and its business associates (total amount in fines $23.51 mil. – more than a triple increase from 2015). It also issued several new guidance documents, launched a new HIPAA audit program, and announced that it will be investigating smaller breaches of PHI. The OCR is already close to beating the last year record due to pending settlements and ongoing investigations. Causes of investigations are theft or loss of the devices containing PHI, unauthorized access, and improper disposal of PHI. Additional penalties are imposed for failure to conduct accurate and thorough risk assessments, no management plans, failure to update or execute business associate agreements, failure to encrypt PHI, no adequate policies and procedures, and failure to restrict access. All these issues could be easily avoided if covered entities or its business associates regularly conducted proper risk assessments and take appropriate actions to address risks identified during the assessments. While risk assessments are normally performed when initiating new HIPAA policies, many healthcare businesses fail to update it on a regular basis.
If there were any changes in your operation: added a new business, new affiliation or a merger, new technologies, or any other new business component – you must perform a new risk analysis. Even if there were no substantial changes in the operation, but you haven’t performed a risk assessment for a period of time, it is time to do so now.
Guidance on Risk Analysis Requirements under the HIPAA Security Rule.